Open access.log: permission denied

zajca · November 11, 2016, 9:24pm

I’m trying to run caddy as www-data user

If I run caddy command as root, it will run fine.

/usr/local/bin/caddy -log=/var/log/caddy/caddy.log -conf=/etc/caddy/Caddyfile -root=/var/tmp

If I run save as www-data, I get error:

open access.log: permission denied

I get error also when I try to run caddy with systemd.
I can’t figure out from where is coming access.log and what is it’s path, to set correct rights.

Archlinux x86_64
Caddy 0.9.3

my CaddyFile:

my-domain {
	redir www.my-domain{uri}
}
www.my-domain {
    root /var/www/my-domain
    #fastcgi / 127.0.0.1:9000 php
    fastcgi / /run/php-fpm/php-fpm.sock php

    status 403 /forbidden

    log /var/log/caddy/my-domain.log {
        size 50
        age 90
        keep 5
    }
    errors /var/log/caddy/my-domain.errors {
        size 50
        age 90
        keep 5
    }

    # Begin - Security
    # deny all direct access for these folders
    rewrite {
        if {path} match /(.git|cache|bin|logs|backups|tests)/.*$
        to /forbidden
    }
    # deny running scripts inside core system folders
    rewrite {
        if {path} match /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
        to /forbidden
    }
    # deny running scripts inside user folder
    rewrite {
        if {path} match /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
        to /forbidden
    }
    # deny access to specific files in the root folder
    rewrite {
        if {path} match /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
        to /forbidden
    }
    ## End - Security

    # global rewrite should come last.
    rewrite {
        to  {path} {path}/ /index.php?_url={uri}
    }
}

systemd service

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-failure

; User and group the process will run as.
User=www-data
Group=www-data

; Letsencrypt-issued certificates will be written to this directory.
Environment=HOME=/etc/ssl/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log=/var/log/caddy/caddy.log -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -email=zajca@zajca.cz
ExecReload=/bin/kill -USR1 $MAINPID

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=64

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Whitestrake · November 12, 2016, 12:05am

Hrm, why is it trying to open access.log anyway?

Run find /var/log -name "*.log" and see what comes up, you might find your errant access.log.

zajca · November 12, 2016, 9:36am

There is access.log, but www-data has rights to write.

# find /var/log -name "*.log" -exec ls -alh {} +
-rwxrwxrwx 1 www-data www-data    0 Nov 11 22:03 /var/log/access.log
-rw-r--r-- 1 www-data www-data   49 Nov 11 22:51 /var/log/caddy/caddy.log
-rw-r--r-- 1 www-data www-data  334 Nov 11 22:50 /var/log/caddy/my-domain.log
-rw-r--r-- 1 www-data www-data 6.9K Nov 11 22:50 /var/log/fpm-php.www.log
-rwxrwxrwx 1 root     root     4.3K Nov 11 21:42 /var/log/pacman.log

I run command with strace, and found out that caddy is trying to create access.log in current directory where I run command from it.
I can’t figure out how to change this directory.

...
stat("/var/log/caddy", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/var/log/caddy/my-domain.log", O_RDWR|O_CREAT|O_APPEND|O_CLOEXEC, 0644) = 3
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "access.log", O_RDWR|O_CREAT|O_APPEND|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY) = 4
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\r\0\0\0\r\0\0\0\0"..., 4096) = 2971
read(4, "", 4096)                       = 0
close(4)                                = 0
write(2, "2016/11/12 10:23:24 open access."..., 552016/11/12 10:23:24 open access.log: permission denied
) = 55
...

I also try to set WorkingDirecotry=/home/www-data/
But that’s not working either and I get ```
caddy.service: Failed at step CHDIR spawning /usr/local/bin/caddy: No such file or directory

zajca · November 12, 2016, 10:04am

I removed this directives and caddy runs fine

system · February 10, 2017, 10:04am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.